Java-Based Malware Is "Fileless"

Trojan-Spy.Win32.Lurk exploits a Java vulnerability (CVE-2011-3544) as part of a drive-by-download attack, according to Kaspersky Lab. Lurk resides in computer memory and exhibits bot-like behavior.

Kaspersky Lab discovered a new piece of malware that doesn’t create new files when infecting targeted computers, making it hard to detect.

The “fileless” malware, dubbed Trojan-Spy.Win32.Lurk, exploits a Java vulnerability (CVE-2011-3544) as part of a drive-by-download attack, Sergey Golovanov, a senior malware analyst at Kaspersky Lab, wrote on the Securelist blog Mar. 16. Drive-by downloads exploit vulnerabilities in unpatched software and generally requires no user interaction to compromise the machine.

Even though the user doesn’t have to click on anything to start the attack, drive-by-downloads generally save a dropper or downloader file onto the hard drive as part of the infection process. The saved file automatically executes certain commands or downloads additional malware to the computer. In the case of Lurk, Kaspersky was unable to find any files that were part of the initial infection, according to Golovanov.

"However, in this case we were in for a surprise: No new files appeared on the hard drive," Golovanov wrote.

Instead, Lurk resided in the computer’s memory and injected a rogue Java dynamic link library (DLL) to an active Java process on the compromised machine, Kaspersky Lab found. Memory-based malware is considered pretty rare, since rebooting the infected machine erases everything in memory. However, the transitory nature of this malware wasn’t a problem for the gang behind this attack because it targeted news Websites. The chances of the user returning to the infected site repeatedly were high, according to Golovanov.

Kaspersky Lab investigated an incident in which visitors to the Russian news agency RIA Novosti’s Website (www.ria.ru) and to www.gazeta.ru, a popular Russian-language online newspaper, were infected. The ria.ru and gazeta.ru did not host the actual attack code. Instead, the malicious code snippet was included in banner ads displayed on these sites and served by AdFox, a third-party ad network.

Lurk exhibited bot-like behavior, transmitting data to and receiving instructions from a command-and-control server. Since no files are written to the hard drive, it is harder to detect the malicious code with antivirus tools, Golovanov said. The only reliable way to prevent the infection is to make sure Java is patched and at the most recent version, he said. Browsers and plug-ins also should be up-to-date so that vulnerabilities can’t be exploited.

While this attack specifically targeted Russian users, Golovanov did not rule out the fact that the same attack could be used against people in other parts of the world. The malware could be distributed using similar banner ads or similar teaser networks in other countries, he said.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »